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Claims 

1. A virtual private network including an internal secured portion which connects via at 
least a first gateway and a second gateway to an external portion, the network 

5 comprising: 

a plurality of workstations including at least one mobile workstation in the external 
portion; 

the first gateway; 
the second gateway; and 
10 means for automatically changing the point through which the mobile workstation 
communicates with the internal portion of the network from the first gateway to the 
second gateway, in response to movement of the mobile workstation. 

2. A network as claimed in claim 1, further comprising transfer means for transferring 
15 context information usable by a gateway in communications with the mobile workstation, 

. to the second gateway. 

3. A network as claimed in claim 2, wherein the context information includes an identifier 
of the mobile workstation. 

20 

4. A network as claimed in claim 3 wherein the identifier is the home address of the 
mobile workstation. 

5. A network as claimed in claim 2, 3 or 4 wherein the context information includes 
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material for defining secure communication means by which information is transferable 
securely between the mobile workstation in the external portion of the network and the 
internal portion of the network, via the second gateway. 

5 6. A network as claimed in claim 5, wherein the secure communication means is a 
security association pair between the second gateway and the mobile workstation. 

7. A network as claimed in any one of claims 2 to 6, wherein the transfer means is 
physically separate from the first gateway. 

10 

8. A network as claimed in any one of claims 2 to 7, wherein the transfer means 
additionally transfers information to the mobile workstation for enabling communications 
between the mobile workstation and the second gateway. 

15 9. A network as claimed in claim 8 wherein the information transferred to the mobile 

workstation enables secure communication means by which information is transferable 
securely between the mobile workstation in the external portion of the network and the 
internal portion of the network, via the second gateway. 

20 10. A network as claimed in claim 9, wherein the secure communication means is a 
security association pair between the mobile workstation and the second gateway. 

11. A network as claimed in claim 8, 9 or 10, wherein the information transferred to the 
mobile workstation comprises the address of the second gateway. 
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12. A network as claimed in any one of claims 8 to 11 , wherein the information 
transferred to the mobile workstation is transferred between the first gateway and the 
mobile workstation using an existing security association between the mobile 

5 workstation and the first gateway. 

13. A network as claimed in any preceding claim wherein the second gateway 
comprises one or more databases which are updated to enable the internal portion of 
the network and the mobile workstation, in the external portion of the network to 

10 communicate via the second gateway. 

14. A network as claimed in claim 13, wherein the one or more databases are a Security 
Policy Database and a Security Association Database. 

15 1 5. A network as claimed in any preceding claim wherein the mobile workstation 

comprises one or more databases which are updated to enable the internal portion of 
the network and the mobile workstation in the external portion of the network to 
communicate via the second gateway. 

20 16. A network as claimed in claim 15, wherein the one or more databases are a Security 
Policy Database and a Security Association Database. 

17. A network as claimed in any preceding claim further comprising location detection 
means for detecting the location of the mobile workstation and initiating a change in the 
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point through which the mobile workstation communicates with the internal portion of 
the network, from the first gateway to a better gateway. 

18. A network as claimed in claim 1 7, wherein the gateway is better because it is closer 
5 to the mobile workstation and/or it is optimal for routing existing sessions. 

19. A network as claimed in claim 17 or 18, wherein the detection means is responsive 
to a location identifier received from the mobile workstation. 

10 20 A network as claimed in claim 1 9, wherein the location identifier is the 
care-of-address of the mobile workstation. 

21 . A network as claimed in claim 20, wherein the identifier is received during a mobility 
binding update. 

15 

22. A network as claimed in any one of claims 17 to 21 , wherein the location detection 
means is separate from the first gateway. 

23. A network as claimed in claim 22 when dependent upon claim 7, wherein the 
20 location detection means and transfer means are housed together. 

24. A network as claimed in any preceding claim wherein the first gateway and the 
second gateway are in distinct physically separated segments of the network. 
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25. A network as claimed in any preceding claim, wherein the mobile workstation 
communicates with the internal portion of the network via the first gateway and also 
via the second gateway simultaneously for a transition period, before communicating via 
the second gateway only. 

5 

26 A network as claimed in any preceding claim wherein the mobile workstation, is 
involved in a session with a correspondent node. 

27. A network as claimed in claim 26, wherein the correspondent node is located in the 
10 internal portion of the network and the mobile workstation is located in the external 

portion of the network. 

28. A method of optimizing the route by which information travels between a mobile 
node in an external portion of a network and a correspondent node in an internal portion 

15 of a network, comprising the steps of: 

determining when a first serving gateway through which the mobile node communicates 
with the internal portion of the network, is sub-optimal; 
identifying a second gateway; and 

transferring the point through which the mobile node communicates with the internal 
20 portion of the network from the first serving gateway to the second gateway. 

29. A mobile workstation for connecting to an external portion of a network that includes 
an internal secured portion connected, via a first gateway and a second gateway to the 
external portion, comprising: 
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means arranged to receive, via the first secure communication means, an .identifier of a 
second gateway; and 

means arranged to change from communicating with the internal portion of the network 
through the first gateway to communicating via the second gateway. 

5 

30. A mobile workstation as claimed in claim 23, further comprising means for using a 
first secure communication means by which information is transferable securely between 
the interna! portion of the network and the mobile workstation via the first gateway, to 
receive the identifier of the second gateway; 

10 

31 . A mobile workstation as claimed in claim 23 or 24, further comprising means for 
using a second secure communication means to transfer information securely between 
the internal portion of the network and the mobile workstation via the second gateway; 

15 32. A virtual private network, substantially as hereinbefore described with reference to 
and/or as shown in Figures 1a, lb, 1c and 2. 

33. A method of optimizing routing in a virtual private network, substantially as 
hereinbefore described with reference to and/or as shown in Figures 1a, 1b, 1c and 2. 

20 

34. Any novel subject matter or combination including novel subject matter disclosed, 
whether or not within the scope of or relating to the same invention as the preceding 
claims. 
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means arranged to receive, via the first secure communication means, an. identifier of a 
second gateway; and 

means arranged to change from communicating with the internal portion of the network 
through the first gateway to communicating via the second gateway. 

5 

30. A mobile workstation as claimed in claim 23, further comprising means for using a 
first secure communication means by which information is transferable securely between 
the internal portion of the network and the mobile workstation via the first gateway, to 
receive the identifier of the second gateway; 

10 

31 . A mobile workstation as claimed in claim 23 or 24, further comprising means for 
using a second secure communication means to transfer information securely between 
the internal portion of the network and the mobile workstation via the second gateway; 

15 32. A virtual private network, substantially as hereinbefore described with reference to 
and/or as shown in Figures 1a, 1b, 1c and 2. 

33. A method of optimizing routing in a virtual private network, substantially as 
hereinbefore described with reference to and/or as shown in Figures 1a, 1b, 1c and 2. 

20 

34. Any novel subject matter or combination including novel subject matter disclosed, 
whether or not within the scope of or relating to the same invention as the preceding 
claims. 
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